Critical Vulnerability Information Vulnerability Type Stored XSS: Stored XSS vulnerability triggered via wikitext. Affected Versions Affected Versions: <= 4.0.0 Fixed Version: None CVSS Score Severity: High (8.6/10) Attack Vector: Network Attack Complexity: Low Required Privileges: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: Low Availability Impact: Low CVE ID CVE-2025-59839 Weakness CWE-79: Cross-site Scripting (XSS) Reporter SomeMWDev Vulnerability Description Summary: The EmbedVideo extension allows arbitrary attributes to be added to HTML elements, leading to stored XSS via wikitext. Details: The iframe attributes are populated with values from an unescaped data attribute ( ), which can be set via wikitext. PoC 1. Create a page containing the following content: 2. Click on the "Click me!" text. 3. Click the "Load video" button below. Impact Arbitrary HTML can be inserted into the DOM by any user, enabling JavaScript execution.